Responsible is the:

Walther Spritz- und Lackiersysteme GmbH
Kärntner Straße 18 - 30, D-42327 Wuppertal, Germany
Phone: +49 202 787-0 / Fax: +49 202 787-2217
E-mail: info@walther-pilot.de

You can reach our company data protection officer at:
E-Mail: Datenschutz.Deutschland@wagner-group.com
Phone: +49 202 787-0 / Fax: +49 202 787-2217

First and foremost, we process the personal data that we receive or have collected from the data subjects within the scope of the business or customer relationship. We also process data provided on the basis of inquiries / visits / registrations (e.g. Internet store), consent (e.g. newsletter dispatch) etc. within the scope permitted by law.

In addition, we also process personal data that is made available to us within the scope of order processing and also data from publicly accessible sources (e.g. press, Internet), insofar as it is necessary and permissible for the respective purposes. We also process personal data that is transmitted to us by other companies of the Wagner Group or by third parties (e.g. credit insurers, receivables management, information on criminal acts) as permitted.

The personal data processed by us in this context consists of personal data / identification data (name, address, contact data, user ID, etc.), data from the fulfillment of our contractual obligations (bank data, history, authorizations, etc.), data provided to us in the context of consent, and other data comparable to the aforementioned categories.

The personal data is processed by us in accordance with the regulations of the EU General Data Protection Regulation (DS-GVO) and the Federal Data Protection Act (BDSG) on the basis of the following legal grounds:

1. a) For the performance of a contract (Article 6 para. 1 lit. b DS-GVO).

The processing of personal data is necessary for the performance of a contract to which the data subject is a party or for the implementation of pre-contractual measures, which are carried out at the request of the data subject.

If you make use of additional services, your data will be processed insofar as this is necessary for the provision of these additional services.

b) In the context of commissioned processing (Article 28 DS-GVO).

The processing of personal data on behalf of third parties shall take place exclusively on the basis of instructions within the framework of the statutory regulations.

2. within the framework of the balancing of interests (Article 6 para. 1 lit. f DS-GVO).

Beyond the actual performance of the contract with you, we process your data insofar as it is necessary to protect our legitimate interests or the legitimate interests of third parties provided that your interests do not prevail. Examples are:

- Internal and external communication

- Documentation

- Internal and external monitoring (ICS controls or metrics)

- Internal and external investigations, security checks

- Credit assessment to avoid bad debts

- Measures for business management and further development of services and products

- Advertising

- Authorization management

- IT security measures

- Event management

- Assertion / defense of legal claims, including legal disputes

- Prevention and detection of criminal acts

- Measures for building and facility security (e.g. access controls)

- Measures to ensure domiciliary rights

- Risk management via the Wagner group of companies

3. on the basis of your consent (Article 6 para. 1 lit. a DS-GVO).

Insofar as you have consented to certain processing of your personal data (e.g. newsletter dispatch, participation in promotions), the lawful processing of your personal data is based on this consent. You can revoke a given consent at any time with effect for the future. This also applies to declarations of consent that you gave us before the GDPR came into force, i.e. before May 25, 2018. Since the revocation of consent applies to the future, it does not affect the validity of the processing until the time of revocation.

4. statutory or legal requirements (Article 6 para. 1 lit. c DS-GVO or in the public interest (Article 6 para. 1 lit. e DS-GVO).

In addition, various legal obligations apply to us as a company (e.g. tax laws, money laundering law). These include, among others, identity verification, fraud and money laundering prevention, the fulfillment of control and reporting obligations under tax law, and the assessment and management of risks in the company and the Wagner Group.

The company ensures the implementation of appropriate technical and organizational measures for data security through internal regulations and - if the data is processed by an external service provider - through appropriate contractual agreements, such as the use of the EU standard contractual clauses when data is processed outside the European Union.

Please arrange for any necessary changes to your data in good time. You can clarify questions about your data via the relevant departments or the data protection officer, and request both information and the correction / deletion of incorrect data or data that is no longer required.

In compliance with the statutory provisions and the existing internal regulations, the bodies that need your data to fulfill our contractual and statutory obligations will have access to it. Likewise, service providers and vicarious agents used by us (e.g. IT service providers, logistics, telecommunications, debt collection, consulting, financial services, marketing agencies, insurance companies ...) may access your data for these purposes, provided that you maintain the confidentiality and integrity of the data in particular.

We only pass on personal data to recipients outside our company if and to the extent that this is necessary in compliance with the applicable data protection regulations. We may only pass on information about you if this is required by law, you have given your consent or we are authorized to provide information. Recipients of personal data may be, for example:

For operational purposes

• To other companies of the Wagner Group
• To service providers / order processors
• To customers, suppliers, partners

For reporting and information obligations

• To authorities and other bodies (e.g. tax authorities, auditors)

To clarify claims and accusations

• To lawyers, law enforcement agencies, creditors or insolvency administrators

To recipients you have explicitly named

• To credit and financial services institutions

In addition, your personal data may be transferred to recipients for whom you have given us your consent. The same applies to bodies to which we may transfer personal data on the basis of a balancing of interests.

We transmit personal data to bodies in countries outside the European Union (so-called third countries) insofar as

• it is required by law (e.g. reporting obligations under tax law)
• you have given your consent, or
• the transfer is necessary to protect our legitimate interests and your interests or fundamental rights and freedoms to protect your personal data do not override.

In addition, personal data will be transferred to entities in third countries in the following cases:

• With the consent of the data subject or due to legal regulations to combat money laundering, terrorism financing or other criminal acts, as well as on the basis of a balancing of interests, personal data will be transferred in individual cases in compliance with the level of data protection in the European Union.

Your personal data will only be stored or otherwise processed by us for as long as is necessary to achieve the respective purpose.

If the purpose of the processing is no longer applicable (e.g. legal transaction completed), the corresponding personal data will be deleted. In the following cases, the deletion may be postponed:

• Compliance with statutory retention periods (e.g. German Commercial Code (HGB), German Banking Act (KWG), German Money Laundering Act (GwG). The retention periods specified there are generally 6 to 10 years.
• Fulfillment of justified retention periods (e.g. for customer service, inquiries, log files).
• Safeguarding of evidence within the legal statute of limitations. According to §§ 195 ff. of the German Civil Code (BGB), these limitation periods can be up to 30 years. The regular limitation period is 3 years.

If we or a third party process your data on the basis of the above-mentioned balance of interests, we will delete your personal data as soon as our legitimate interest no longer exists. The exceptions mentioned above also apply here.

Data deletion takes place within the framework of the deletion routines implemented by the process owners.

In the case of consent, the data is deleted as soon as the consent is revoked for the future, unless one of the above exceptions applies.

To protect against the various threats to our IT - e.g., from malware, hacker attacks, spam - and Intellectual Property, various procedures are used in which the exchanged information is examined for viruses, for example, and the connection data is examined for anomalies. If anomalies are detected, the relevant documents and connection data can be analyzed.

To ensure compliance with existing delivery and payment restrictions - for example, to companies and individuals on various government lists - a check can be made against this list.

In addition, in cases of suspicion, in the case of investigations by the authorities and in order to defend claims against our company, an investigation and, if necessary, the release of data and documents relating to the persons concerned may be necessary.

In all cases, our internal regulations, the legal requirements and the personal rights of the persons concerned will be observed.

According to Article 15 of the DS-GVO, every data subject has the right to information. Pursuant to Article 16 of the DSGVO, the data subject may request rectification of inaccurate personal data. Pursuant to Article 17 of the DSGVO, the data subject has the right to erasure or, pursuant to Article 18, the right to restriction of processing. Likewise, the data subject may object to the processing of personal data concerning him or her under the conditions laid down in Article 21 of the DSGVO. Pursuant to Article 20 DS-GVO, the data subject has a right to data portability. To assert these rights, you can contact the data protection officer or the respective department: In addition, pursuant to Article 77 DS-GVO in conjunction with Section 19 BDSG, you have the right to lodge a complaint with the competent data protection supervisory authority. Consent given can be revoked at any time by contacting us.

Within the scope of the legal transaction to be carried out with you, you are obliged to provide the personal data that is required for the execution of the legal transaction and for the fulfillment of the associated contractual obligations or which we are legally obliged to collect.

If you do not provide certain personal data, you may suffer disadvantages or the legal transaction may not be concluded.

According to Article 22 of the DS-GVO, automated decisions can only be made if they are necessary for the conclusion or fulfillment of a contract or are permitted by legal provisions or are legitimized by the express consent of the data subject.

If we use such procedures in individual cases, you will be informed about this and about your associated rights within the framework of the legal requirements.

Your data is partly processed automatically in order to evaluate certain personal aspects (profiling). For example, due to legal and regulatory requirements, we are obliged to combat money laundering, terrorist financing and asset-threatening crimes. In this context, data evaluations are also carried out.